At Traceable, we monitor 500 billion API calls a month from a really various buyer base throughout totally different industries and geographies. These prospects have end-users that span 180+ international locations. This broad spectrum of visitors gives Traceable with a singular vantage level to watch the evolving panorama of API design and the delicate strategies utilized by malicious actors to take advantage of vulnerabilities.
On common, a good portion of our API visitors—as much as 3%—is flagged as safety occasions, starting from one-shot malicious assaults to anomalous behaviors and orchestrated sequences of API calls aimed toward exploiting vulnerabilities or perpetrating enterprise fraud. Nearly all of these incidents align with the OWASP API High 10 Vulnerabilities, highlighting the important want for strong API safety practices.
Many of those vulnerabilities will be prevented by implementing some primary API design greatest practices. On this weblog put up, we’ll discover seven key features of API design. With APIs because the spine of most trendy purposes, prioritizing API safety from the outset is paramount. We encourage professionals engaged in API design, implementation, and safety to combine these essential API safety rules into their workflows.
Authentication and Authorization
Damaged Authentication is listed as one of many OWASP API prime 10 vulnerabilities. It generally arises from unauthenticated APIs, typically obscured behind client-side authentication, resulting in a false sense of safety.
API keys function a prevalent authentication technique for APIs, however they arrive with limitations –
- API keys can’t be used for authentication in untrusted environments the place an unauthorized actor can entry the API keys in-transit or at-rest, for instance in audit logs.
- API keys usually lack express expiration dates, permitting unauthorized actors to keep up long-term persistence and makes key revocation laborious to implement.
- API keys typically have a world scope which makes it tough to implement fine-grained entry management.
As a substitute of counting on API keys, think about a extra strong method to authentication and authorization, utilizing established requirements like OpenID and OAuth. Oauth allows explicitly scoped authorization together with token expiry and refresh flows.
Scoped Token Administration
Undefined or poorly defied scopes in APIs are one of many main causes of Damaged Operate Degree Authorization. API endpoints typically implement numerous capabilities, a few of which needs to be reserved for customers with elevated privileges. These might embrace particular API endpoints like /api/admin/ and/or particular HTTP strategies like DELETE or PUT and even distinctive parameters like /api/customers/?e mail=all. To mitigate this problem, APIs ought to set up a transparent hierarchy of scopes that align with consumer roles. The server should then validate the consumer’s position in opposition to the API scope, ideally in a separate enterprise logic layer.
Information Safety
Information integrity and confidentiality are foundational rules in digital communication. It’s crucial for all APIs to make the most of HTTPS to supply these basic ensures.
One prevalent anti-pattern in API design is extreme knowledge publicity. APIs typically expose a surplus of information that purchasers then filter on the presentation layer. Nevertheless, relying solely on client-side filtering is inadequate. Malicious customers can bypass these filters and straight entry the API, exposing delicate knowledge unintentionally. This vulnerability is called Damaged Object Property Degree Authorization.
Lastly, API servers should guarantee confidentiality of its personal secrets and techniques at-rest. For instance, if the server makes use of Oauth 2, correct storage and safety of the shopper secret and shopper id is paramount. Sadly, too typically they’re saved incorrectly in public purchasers like cell apps.
Enter Validation
Whereas most API visitors comes from trusted purposes, for instance a entrance finish for a cell app, that’s straight developed by a trusted staff, it may be tempting to introduce enter validation solely on the client-side, nevertheless attackers will typically ship requests to APIs straight.
Fundamental enter knowledge varieties like string, integers, dates and many others as a minimum require validation on format, character units, boundaries, vary and many others. For extra complicated knowledge varieties like URL, information, file path and many others, extra subtle enter validation could also be required. If a parameter is a URL, validate the URL to keep away from SSRF assaults. Equally, when coping with file parameters, validation is important to mitigate LFI assaults.
One other API vulnerability arising from insufficient enter validation is Mass project. Attackers exploit this weak spot by trying to govern object’s properties that they shouldn’t have entry to. Contemplate an API designed to create a brand new consumer that accepts enter parameters corresponding to username, title and e mail deal with. After enter validation of those parameters, the server might assign further properties like position=consumer, APIs susceptible to mass project would enable a consumer to incorporate a task parameter of their question and alter their position.
Audit Logging
Audit logs are immutable and tamperproof information of all API exercise that describes “Who did what, where, and when”. Audit logs of APIs are immensely helpful in debugging points, and investigating safety incidents. It is usually essential to contemplate the retention coverage of audit logs. We advocate no less than 30 days of scorching storage and a yr of chilly storage.
Furthermore, API builders ought to be sure that audit logs inadvertently don’t log any delicate info within the audit logs like JWT tokens, PII discipline and many others.
KISS (Hold It Easy Silly)
KISS design precept, because the title suggests, advocates for simplicity within the design. Within the realm of API design, this entails a number of key concerns.
- API endpoints ought to have a single duty. For RESTful API, it typically implies that a single API endpoint manipulates a single object kind, using numerous HTTP strategies corresponding to PUT, DELETE, and POST to facilitate totally different manipulations. When doubtful depend on trade requirements relatively than reinventing the wheel
- Keep away from overloading a single API with a number of operations. As a substitute, it’s preferable to decompose complicated operations into separate APIs. As a facet impact, it additionally improves the readability and future extensibility of the API
- APIs are sometimes topic to evolution and extensions. To accommodate future adjustments, it’s advisable to segregate new variations by incorporating a model quantity within the path parameters. As an example, utilizing “/v1/api/” and “/v2/api/” delineates distinct variations and facilitates seamless transition between them, simply keep in mind to decommission outdated variations!
Price Limiting
Price limiting is important for APIs to make sure optimum efficiency, stability, and safety. Price limiting safeguards in opposition to DoS assaults by proscribing the variety of requests a shopper could make inside a specified timeframe.
Price limits additionally assist stop abuse and misuse of APIs by limiting the variety of requests by a single shopper decreasing the chance of knowledge exfiltration makes an attempt. Notice that implementing fee limits per supply IP deal with isn’t as efficient, since these will be bypassed by means of anonymizing ahead proxies. We advocate implementing a fee restrict per auth token every time doable.
It is very important talk the speed restrict with the shopper utilizing correct HTTP headers like X-Ratelimit-* headers or graphql-rate-limit, and returning a 429 HTTP error code when the speed restrict is exceeded ensures that purchasers are conscious of and may adhere to the imposed limitations. Graphql question complexity calculator is one other option to defend in opposition to DoS assaults in opposition to graphql endpoints.